mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00

2016-11-01 10:01:31 -07:00

21 KiB

Raw Blame History

title, description, keywords, ms.prod, ms.mktglfcycl, localizationpriority, author

title	description	keywords	ms.prod	ms.mktglfcycl	localizationpriority	author
Deploy Device Guard - enable virtualization-based security (Windows 10)	This article describes how to enable virtualization-based security, one of the main features that are part of Device Guard in Windows 10.	virtualization, security, malware	w10	deploy	high	brianlic-msft

Deploy Device Guard: enable virtualization-based security

Applies to

Windows 10
Windows Server 2016

Hardware-based security features, also called virtualization-based security or VBS, make up a large part of Device Guard security offerings. VBS reinforces the most important feature of Device Guard: configurable code integrity. There are a few steps to configure hardware-based security features in Device Guard:

Decide whether to use the procedures in this topic, or to use the Device Guard readiness tool. To enable VBS, you can download and use the hardware readiness tool on the Microsoft Download Center, or follow the procedures in this topic.
Verify that hardware and firmware requirements are met. Verify that your client computers possess the necessary hardware and firmware to run these features. A list of requirements for hardware-based security features is available in Hardware, firmware, and software requirements for Device Guard.
Enable the necessary Windows features. There are several ways to enable the Windows features required for hardware-based security. You can use the Device Guard and Credential Guard hardware readiness tool, or see the following section, Windows feature requirements for virtualization-based security.
Enable additional features as desired. When the necessary Windows features have been enabled, you can enable additional hardware-based security features as desired. You can use the Device Guard and Credential Guard hardware readiness tool, or see Enable virtualization-based security (VBS), later in this topic.

For information about enabling Credential Guard, see Protect derived domain credentials with Credential Guard.

Windows feature requirements for virtualization-based security and Device Guard

In addition to the hardware requirements found in Hardware, firmware, and software requirements for Device Guard, you must confirm that certain operating system features are enabled before you can enable VBS:

With Windows 10, version 1607 or Windows Server 2016:
Hyper-V Hypervisor, which is enabled automatically. No further action is needed.
With an earlier version of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
Hyper-V Hypervisor and Isolated User Mode (shown in Figure 1).

Note

You can configure these features by using Group Policy or Deployment Image Servicing and Management, or manually by using Windows PowerShell or the Windows Features dialog box.

Figure 1. Enable operating system features for VBS, Windows 10, version 1511

After you enable the feature or features, you can enable VBS for Device Guard, as described in the following sections.

Enable Virtualization Based Security (VBS) and Device Guard

Before you begin this process, verify that the target device meets the hardware and firmware requirements for the features that you want, as described in Hardware, firmware, and software requirements for Device Guard. Also, confirm that you have enabled the Windows features discussed in the previous section, Windows feature requirements for virtualization-based security.

There are multiple ways to configure VBS features for Device Guard:

You can use the readiness tool rather than the procedures in this topic.
You can use Group Policy, as described in the procedure that follows.
You can configure VBS manually, as described in Use registry keys to enable VBS and Device Guard, later in this topic.

Note

We recommend that you test-enable these features on a group of test computers before you enable them on users' computers. If untested, there is a possibility that this feature can cause system instability and ultimately cause the client operating system to fail.

Use Group Policy to enable VBS and Device Guard

To create a new GPO, right-click the OU to which you want to link the GPO, and then click Create a GPO in this domain, and Link it here.

Figure 2. Create a new OU-linked GPO
Give the new GPO a name, for example, Contoso VBS settings GPO Test, or any name you prefer. Ideally, the name will align with your existing GPO naming convention.
Open the Group Policy Management Editor: right-click the new GPO, and then click Edit.
Within the selected GPO, navigate to Computer Configuration\Administrative Templates\System\Device Guard. Right-click Turn On Virtualization Based Security, and then click Edit.

Figure 3. Enable VBS
Select the Enabled button, and then choose a secure boot option, such as Secure Boot, from the Select Platform Security Level list.

Figure 4. Configure VBS, Secure Boot setting (in Windows 10, version 1607)

Important

These settings include Secure Boot and Secure Boot with DMA. In most situations we recommend that you choose Secure Boot. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
In contrast, with Secure Boot with DMA, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can have code integrity policies enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see How Device Guard features help protect against threats.
For Virtualization Based Protection of Code Integrity, select the appropriate option.

Warning

Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).

Select an option as follows:
- With Windows 10, version 1607 or Windows Server 2016, choose an appropriate option:
  For an initial deployment or test deployment, we recommend Enabled without lock.
  When your deployment is stable in your environment, we recommend changing to Enabled with lock. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
- With earlier versions of Windows 10, or Windows Server 2016 Technical Preview 5 or earlier:
  Select the Enable Virtualization Based Protection of Code Integrity check box.
Figure 5. Configure VBS, Lock setting (in Windows 10, version 1607)
Close the Group Policy Management Editor, and then restart the Windows 10 test computer. The settings will take effect upon restart.
Check the test computer’s event log for Device Guard GPOs.

Processed Device Guard policies are logged in event viewer at Applications and Services Logs\Microsoft\Windows\DeviceGuard-GPEXT\Operational. When the Turn On Virtualization Based Security policy is successfully processed, event ID 7000 is logged, which contains the selected settings within the policy.

Note

Events will be logged in this event channel only when Group Policy is used to enable Device Guard features, not through other methods. If other methods such as registry keys are used, Device Guard features will be enabled but the events won’t be logged in this event channel.

Use registry keys to enable VBS and Device Guard

Set the following registry keys to enable VBS and Device Guard. This provides exactly the same set of configuration options provided by Group Policy.

Warning

Virtualization-based protection of code integrity (controlled through the registry key HypervisorEnforcedCodeIntegrity) may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).

Important

Among the commands that follow, you can choose settings for Secure Boot and Secure Boot with DMA. In most situations we recommend that you simply choose Secure Boot. This option provides secure boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have secure boot with DMA protection. A computer without IOMMUs will simply have secure boot enabled.
In contrast, with Secure Boot with DMA, the setting will enable secure boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS (hardware-based) protection, although it can still have code integrity policies enabled.
For information about how VBS uses the hypervisor to strengthen protections provided by a code integrity policy, see How Device Guard features help protect against threats.

All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.

For Windows 1607 and above

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f

If you want to customize the preceding recommended settings, use the following settings.

To enable VBS

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

To enable VBS and require Secure boot only (value 1)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f

To enable VBS with Secure Boot and DMA (value 2), in the preceding command, change /d 1 to /d 2.

To enable VBS without UEFI lock (value 0)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "Locked" /t REG_DWORD /d 0 /f

To enable VBS with UEFI lock (value 1), in the preceding command, change /d 0 to /d 1.

To enable virtualization-based protection of Code Integrity policies

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Enabled" /t REG_DWORD /d 1 /f

To enable virtualization-based protection of Code Integrity policies without UEFI lock (value 0)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\HypervisorEnforcedCodeIntegrity" /v "Locked" /t REG_DWORD /d 0 /f

To enable virtualization-based protection of Code Integrity policies with UEFI lock (value 1), in the preceding command, change /d 0 to /d 1.

For Windows 1511 and below

Recommended settings (to enable virtualization-based protection of Code Integrity policies, without UEFI Lock):

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f

If you want to customize the preceding recommended settings, use the following settings.

To enable VBS (it is always locked to UEFI)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "EnableVirtualizationBasedSecurity" /t REG_DWORD /d 1 /f

To enable VBS and require Secure boot only (value 1)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "RequirePlatformSecurityFeatures" /t REG_DWORD /d 1 /f

To enable VBS with Secure Boot and DMA (value 2), in the preceding command, change /d 1 to /d 2.

To enable virtualization-based protection of Code Integrity policies (with the default, UEFI lock)

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v "HypervisorEnforcedCodeIntegrity" /t REG_DWORD /d 1 /f

To enable virtualization-based protection of Code Integrity policies without UEFI lock

reg add "HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard" /v " Unlocked" /t REG_DWORD /d 1 /f

Validate enabled Device Guard hardware-based security features

Windows 10 and Windows Server 2016 and later have a WMI class for Device Guard–related properties and features: Win32_DeviceGuard. This class can be queried from an elevated Windows PowerShell session by using the following command:

Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

Note

The Win32_DeviceGuard WMI class is only available on the Enterprise edition of Windows 10.

The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. For detailed information about what each property means, refer to Table 1.

Table 1. Win32_DeviceGuard properties

Properties	Description	Valid values
AvailableSecurityProperties	This field helps to enumerate and report state on the relevant security properties for Device Guard.	0. If present, no relevant properties exist on the device. 1. If present, hypervisor support is available. 2. If present, Secure Boot is available. 3. If present, DMA protection is available. 4. If present, Secure Memory Overwrite is available. 5. If present, NX protections are available. 6. If present, SMM mitigations are available. Note: 4, 5, and 6 were added as of Windows 10, version 1607.
InstanceIdentifier	A string that is unique to a particular device.	Determined by WMI.
RequiredSecurityProperties	This field describes the required security properties to enable virtualization-based security.	0. Nothing is required. 1. If present, hypervisor support is needed. 2. If present, Secure Boot is needed. 3. If present, DMA protection is needed. 4. If present, Secure Memory Overwrite is needed. 5. If present, NX protections are needed. 6. If present, SMM mitigations are needed. Note: 4, 5, and 6 were added as of Windows 10, version 1607.
SecurityServicesConfigured	This field indicates whether the Credential Guard or HVCI service has been configured.	0. No services configured. 1. If present, Credential Guard is configured. 2. If present, HVCI is configured.
SecurityServicesRunning	This field indicates whether the Credential Guard or HVCI service is running.	0. No services running. 1. If present, Credential Guard is running. 2. If present, HVCI is running.
Version	This field lists the version of this WMI class.	The only valid value now is 1.0.
VirtualizationBasedSecurityStatus	This field indicates whether VBS is enabled and running.	0. VBS is not enabled. 1. VBS is enabled but not running. 2. VBS is enabled and running.
PSComputerName	This field lists the computer name.	All valid values for computer name.

Another method to determine the available and enabled Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Device Guard properties are displayed at the bottom of the System Summary section, as shown in Figure 6.

Figure 6. Device Guard properties in the System Summary

21 KiB Raw Blame History Unescape Escape